Fujitsu Group’s Information Security
Under the corporate governance system, the Fujitsu Group promotes appropriate information management and information usage according to Group rules, as part of risk management.
Corporate Governance and Risk Management
Corporate Governance
The main emphasis of Fujitsu’s corporate governance is on having the non-executive directors provide over-sight and advice to executive directors in their man-agement execution role within the Board of Directors, while adopting the Audit & Supervisory Board system.
Specifically, while assuming mutual supervision between directors and oversight of directors by the Board of Directors, Fujitsu makes a clear distinction be-tween the management execution role and the man-agement oversight role on the Board of Directors and, moreover, makes sure that there are at least as many non-executive directors responsible for management oversight as there are executive directors responsible for management execution.
In addition, in selecting candidates for non-executive directors, consideration is given to the candidate’s backgrounds and insight into Fujitsu’s business so that effective advice that refl ects a diversity of viewpoints can be obtained.
Furthermore, Audit & Supervisory Board members pro-vide audits and oversight from the outside of the Board of Directors, and Fujitsu has established the Executive Nomination Committee and Compensation Committee of its own accord, thereby augmenting the Board of Directors. The overall approach is designed to raise share-holder value through effective corporate governance.
Corporate Governance Structure
(as of May 2015)
Risk Management
Through its global activities in the ICT industry, the Fujitsu Group continuously seeks to increase its corpo-rate value, and to contribute to its customers, local communities and all other stakeholders. Management places a high priority on properly assessing and deal-ing with risks that threaten the achievement of our ob-jectives, taking steps to prevent the occurrence of these risk events, and establishing measures to minimize the impact of such events if they do occur, and prevent their reoccurrence. Moreover, we have built a risk man-agement and compliance system for the entire Group and we are committed to continuously implementing and improving it.
Implementing and Continuously Improving Risk Management
With the aim of integrating and strengthening its global risk management and compliance structures, the Fujitsu Group has established a Risk Management and Compliance Committee as an internal control com-mittee that reports to top management.
The Risk Management & Compliance Committee ap-points a Chief Risk Compliance Offi cer for each depart-ment and company throughout the Group, and encour-ages them to cooperate together both to guard against potential risks and to mitigate risks that materialize, thereby forming a risk management and compliance structure for the entire Group.
Risk Management & Compliance Structure
Customers Employees Shareholders & investors Business partners Society FUJITSU Way
PLAN DO
ACT CHECK Business activities Contributions to stakeholders Contributions to stakeholders Continuously increasing corporate value Continuously increasing
corporate value Implementing and
continuously improving risk management Implementing and continuously improving risk management
Board of Directors
President and Representative Director
Risk Management & Compliance Committee
Each Group Company
Appoint Risk Management &
Compliance Committee, etc.
Appoint Chief Risk Compliance
Officers Each Unit at Headquarters
and Business Group Appoint Chief Risk Compliance Officers
Secretariat Corporate Affairs & Risk Management Div. Election/dismissal Ele cti on /d ism is sa l Consult Re po rt Co ordi na te Co ord in at e Audit/ Supervision Super-vision Supervision Duty to establish
a structure
Election/dismissal
Board of Directors 11 members of the board
Emphasis is placed on non-executive directors to conduct oversight over executive directors based on the premise
that directors also provide mutual monitoring
Basic Stance on Internal Control Framework Executive Directors
5 members of the board
Non-Executive Directors 6 members of the board (including 4 external
directors)
Au
dit & S
up er vis or y B oa rd 5 A ud
it & S
up erv iso ry B oa rd m em be rs ( inc lud
ing 3 e
xte
rna
l A
ud
it & S
up erv iso ry B oa rd m em be rs) Corporate Executive Officers Management Council Departments, Group Companies Co mp en sat ion Co mm itte e an d Exe cut ive N omin at ion Co m mi tte e Recommend/ propose Ac co un tin g A ud itor Au dit /in te rn al con trol a ud it Au dit /in te rn al con trol a ud it In ter na l c on tro l pr omot ion Internal audit
President and Representative Director
Au
dit
Internal Control Structure Internal Control Structure
Business Execution Organs
Risk Management & Compliance Committee
FUJITSU Way Promotion Council
Shareholders/Annual Shareholders’ Meeting Corporate Governance Structure
Corporate Governance Structure
Internal Control Division
etc. Co rp ora te In te rna l A ud it D ivis io n Co ordi na te Co ordi na te Co ordi na te Co ordi na te
04
Fujitsu Gr oup Inf or mation Secur ity R epor t 2 0 1 51. Objectives
Fully recognizing that information provides the basis for the Fujitsu Group’s business activities and the risks that ac-company the management of information, the Fujitsu Group conducts information security measures to achieve the objectives set forth below. In doing so, we seek to real-ize the Corporate Values of the FUJITSU Way, namely, “We seek to be the customer’s valued and trusted partner” and “We build mutually benefi cial relationships with business partners.” At the same time, we will strive to maintain “con-fi dentiality” as stipulated by the Code of Conduct as an essential part of our social responsibility.
(1) The Fujitsu Group properly handles information delivered by individuals, corporate clients or vendors in the course of its business to protect the rights and interests of these parties.
(2) The Fujitsu Group properly handles trade secrets, tech-nical information and other valuable information in the course of its business to protect the rights and interests of the Group.
(3) The Fujitsu Group properly manages information in the course of its business to provide products and ser-vices in a timely and stable manner, with the view to maintaining its roles in society.
2. Activity Principles
The Fujitsu Group applies the following principles when conducting information security activities.
(1) Preservation of confi dentiality, integrity and availability shall be the objective of information security, and infor-mation security measures shall be planned to meet this objective.
(2) The organizational structure and responsibilities shall be clearly defi ned to ensure the proper implementation of information security measures.
(3) The risks that accompany the handling of information and investments required for the measures shall be taken into consideration to properly implement the information security measures.
(4) Information security processes shall be organized into Plan, Do, Check and Act phases to maintain and enhance the level of information security.
(5) Executives and employees shall be provided with awareness and educational programs on information security and act with the knowledge of its sensitive na-ture to ensure the proper implementation of information security measures.
3. The Fujitsu Group’s Measures
To ensure the implementation of information security mea-sures based on the aforementioned objectives and activity principles, the Fujitsu Group shall prepare and implement related rules.
Framework of Information Security Rules
Fujitsu Group Information Security Policy
Procedures Overseas Group Companies
Information Systems Security Policy, etc. Preparation of rules and policies for each company
Procedures Japanese Group Companies
IT Security Information Management
Information Management Rules
Other Company Confidential Information Management Rules
Personal Information Management Rules
Information System Security Rules
Fujitsu PKI* Usage Rules
* PKI: Public Key Infrastructure. Rules governing authentication of individuals, encryption, etc.
Fujitsu Group Information Security Policy
Information Security Policy and
Related Rules
The Fujitsu Group “seeks to be the customer’s valued and trusted partner and build mutually benefi cial relation-ships with business partners,” and to enforce “confi den-tiality” as an essential part of social responsibility. The Group has established the “Fujitsu Group Information Security Policy” and promotes information security.
The Fujitsu Group uses the Information Security Policy Formulation Guidelines to abide by information security-related regulations, taking into account the laws and systems in various countries and ensuring compliance with the policies in each Group company. It also uses the Global Information Security Management Framework to select, decide on and implement infor-mation security measures, as well as to evaluate and improve them.
05
Fujitsu Gr
oup Inf
or
mation Secur
ity
R
epor
t
2
0
1
Fujitsu Group’s Information Security
Promoting Information Security Education
We think it is important to not only inform employees of the rules but also to improve security awareness and the skills of each staff member in order to prevent formation leaks. We therefore conduct face-to-face in-formation security education during training of new recruits and training for promotions and advancement of employees of Fujitsu and our domestic Group com-panies, and conduct annual e-learning for all employees, including executives.e-Learning Screenshot
Raising Awareness Regarding
Information Security
Guided by a common slogan that translates as “Declara-tion for complete informa“Declara-tion management! Informa“Declara-tion management is the lifeline of the Fujitsu Group,” Fujitsu and domestic Group companies have been working to in-crease information security awareness at the individual employee level by displaying awareness posters at respec-tive business locations, affi xing information security awareness stickers to all business computers used by employees and implementing other measures.
Also, a tool was introduced to prevent e-mails from be-ing accidentally sent outside the Company, and in parallel with promoting the use of ICT, we increased the aware-ness of information security among individual employees.
Awareness-Raising Sticker: “Pledge to Enforce Rigorous Information Management” (in Japanese)
Information Security Seminars
for Business Partners
The risk of information leakage is ever increasing in re-sponse to the drastically changing ICT environment in recent years. Accordingly, the Fujitsu Group has been holding information security seminars for business partners to whom it outsources software development and other services, as well as for Group employees.
Enhancing Personal Data Protection
Systems
Fujitsu has established the “Personal Information Protection Policies” and “Personal Information Management Rules.” We are also continually strengthening the sys-tem for protecting personal infor-mation based on these rules, such as by conducting annual training and audits on the handling of personal information.
In August 2007, Fujitsu acquired Company-wide PrivacyMark certifi cation and renews this certifi cation every two years. Domestic Group companies also acquire PrivacyMark certifi cation individually as necessary and promote thorough management of personal data. Overseas Group companies also publish privacy policies that meet their various national legal and social requirements on their main public Internet websites.
Other Support
An “Information Management Handbook” has been issued to increase understanding of internal rules relat-ed to information management. This handbook can also be referenced over the intranet, allowing for im-mediate confi rmation of any information management questions. In addition, the intranet is used to bring at-tention to information leaks by introducing some of the many incidents of information leakage from around the world. Furthermore, a security check day is held once a month to allow managers to verify the status of security measures in their own divisions.
“Information Management Handbook” Screenshot (in Japanese)
06
Fujitsu Gr
oup Inf
or
mation Secur
ity
R
epor
t
2
0
1
The Necessity of Training Professional
Information Security Personnel
Threats related to cyber-attacks such as serious dam-age brought about by targeted attacks on companies and organizations are becoming diversifi ed and so-phisticated. With this in mind, one of Fujitsu’s efforts to protect the information assets of its customers from those threats involved launching a system to search within the Fujitsu Group for engineers with a high level of security skills so that they can be trained and certi-fi ed, and eventually dispatched in the certi-fi eld.
The Security Meister Certifi cation System
Security specialists who can implement security mea-sures to protect information systems from cyber-attacks will undergo systematic and continuous training, and be certifi ed as Security Meisters. In this system, specialists are grouped into three categories, namely Field, Expert, and High Master, according to the functions and require-ments of the job. There is a plan to train and certify 700 engineers by the end of fi scal 2016.*1 The Security Meister Certification System is the official name of Fujitsu’s personnel training system. The word “Meister” is of German origin which refers to a person who has extensive theoretical knowledge and practical skills in their profession.
Three Security Meister Categories
Defi ning the Types of Security Engineers
The Security Meister Certifi cation System defi nes the types of security engineers who can adapt to the needs of ICT development and operations today. The 15 types of se-curity engineers grouped into three categories defi ned by the various requirements of ICT development and op-erations are outlined in the model below.Security Meister Model
In realizing this model, Fujitsu takes into consideration its consistency with Japan’s IT skill standards and vari-ous security personnel models available overseas. Furthermore, High Master is defi ned as being equiva-lent to a white-hat hacker*3 or Top Gun*4.
*2 SI: System Integration
*3 White-hat hacker: Hacker who identifies security risks *4 Top Gun: Security engineer with an advanced level of expertise
The following are examples of types of security engi-neers with their respective defi nitions. A System Security Engineer in the Field category is assigned to the Sys-tems Development Division and is in charge of on-site security design and implementation of technical securi-ty countermeasures.
A Security Incident Handler is assigned to the Systems Operation Division and is in charge of the system security operation design and implementation of security counter-measures concerning information security incidents that occur on-site.
A Computer Wizard in the High Master category is as-signed to the Development Division of embedded sys-tems, can conduct original research and share and dis-seminate information by leveraging their technical capabilities. This kind of personnel utilizes cutting-edge security technology, is self-motivated and expected to par-ticipate in and give presentations at external organiza-tions’ events (including research and security seminars for local engineers).
Cyber-attacks are becoming a social problem. Going forward, cyber-attacks are expected to become highly advanced and increasingly sophisticated with the introduction of the National Identifi cation Number System (social security and tax number), and as society moves towards the age of the Internet of Things in
which 50 billion devices will be connected to the Inter-net. Fujitsu, being in the front lines of system integra-tion and service operaintegra-tions, is engaged in the training and development of information security personnel to improve the quality of its security and to realize solu-tions with robust security systems.
Security Meister Prospective Organizations
Train and certify Field engineers who promote the application of advanced security technology in systems development and service operation, and those who implement safety and security for customers’ business operations
Field SE, organizations with
service engineers Field
The Fujitsu Group
Search for personnel with the industry’s highest level of security expertise and certify them as High Master to counter sophisticated threats
High Master
Conduct extensive training and certif y E xpert engineers equipped with a high level of specialized skills in terms of security to provide customers with optimal solutions
Expert Organizations
engaged in the security business
or operations supporting security
Field
SI*2 Development
SI Development SI Operations and Services
High Master Expert
SI Operations and Services System
security engineers
Higher-ranked system security
engineers
Security incident handlers
Higher-ranked security incident
handlers
Code
wizards Computerwizards
Global white-hat
hackers
Senior security coordinators Penetration
testers researchersCyber Security
analysts engineersForensic Security
product experts
Security network coordinators Cyber-risk
assessors
07
Fujitsu Gr
oup Inf
or
mation Secur
ity
R
epor
t
2
0
1
Fujitsu Group’s Information Security
Establishment of Training Programs
As part of establishing training programs for security engineers with emphasis on practical applications, Fu-jitsu has opened specialized training courses that cor-respond to each type of security engineer. A training program conducted in a cyber-range (virtual training area) has been newly set up. Fujitsu makes these training courses available to each of its customers.
A training scene
Searching for Capable Security Personnel
and Increasing Their Number
Fujitsu is promoting the discovery of personnel with security skills and growth in the number of security engineers. Fujitsu also strives to consolidate knowl-edge and information from various divisions within the Company and has formed a Security Meister Com-munity for the effective utilization of gathered re-sources. Experts sharing their knowledge within the
community will result in the enhancement of their skills after they have been certifi ed.
A security contest that includes hacking techniques is also being held internally. The security contest also utilizes the cyber–range, allowing 40 engineers to showcase their technical capabilities as they compete against each other at the same time.
In this manner, Fujitsu offers its customers safety and security as it proactively conducts security-related training.
Security Meister Community
Fujitsu held the “Fujitsu Cyber Security Workshop 2014” in December 2014 with 160 participants as part of its initia-tives to enhance the technical capabilities of security en-gineers within the Fujitsu Group and to foster interaction among them.
The morning seminars with the theme of “Frontline of Security” were held in two locations with the execu-tive management, managers and on-site engineers giving their respective insights.
In the afternoon, Fujitsu’s fi rst ever security contest was held with 20 pairs competing against each other, show-casing their skills in hacking and knowledge of security.
The security contest differs from the usual CTF (Cap-ture the Flag) contests and involves various schemes and ingenuity.
The secretariat created about 70 unique problems with the cooperation of High Masters with advanced security skills. In addition to tasks requiring practical application of security technology such as finding an answer (a flag) somewhere on a web server or in pack-et data on a npack-etwork, there were quiz-type questions covering extensive security areas.
There were also tasks related to social hacking, which require skills in wheedling or shoulder-hacking to acquire necessary information from the target.
By showing the progress of the contest through a dash-board specially designed for the event, contestants were
not only able to showcase their skills, but the audience in another room were given real-time updates and explana-tions of the problems being solved at the same time, aim-ing to enhance the security capabilities of every attendee. Among the impressions and comments given by participants included: “I haven’t actually been using my skills as much as I would have liked, so being able to participate was great,” “Now I know what I am capa-ble of,” “I want an archive of the questions,” “I hope we can have an interdepartmental contest,” and “Please set up a write-up site (to explain the questions).”
Going forward, Fujitsu will continue holding this con-test as part of its initiatives to enhance the technical capabilities of cyber security personnel and to foster interaction among them.
Scene from the cyber security contest
Fujitsu’s First Cyber Security Contest
Community
Support from the secretariat Coordination of
the verification environment
Coordination of participation
in external organizations’
activities Coordination
of lectures, writings, etc., for
external use
Preparation of environment for information exchanges and communication Product
Development Group
Network Group
System Integration
Group
Security Services Provision Group
Security Consulting
Group
CSIRT Group Knowledge Assembly
08
Fujitsu Gr
oup Inf
or
mation Secur
ity
R
epor
t
2
0
1
